The conventional way of protecting a protected domain against hostile attacks from an insecure external information network is to route all data packets transmitted therebetween through a so-called firewall. At the priority date of this patent application the term “data packets” refers in this regard practically invariably to TCP/IP-packets. The protected domain is almost invariably a private corporate network, but firewall applications exist also for protecting individual computers as well as small home networks.
A conventional firewall performs packet-level filtering based on packet headers. This means that the firewall examines the TCP/IP header of each packet routed to it, and either rejects or passes the packet depending on a set of filtering rules defined by a supervisory user who is responsible for network security. As a very conventional example the supervisory user may impose a strict screening policy according to which only those incoming packets that according to their header originate from a previously known and trusted external host are passed through to the protected domain. A firewall can apply different filtering rules to incoming and outgoing packets, and even different filtering rules depending on which user (i.e. which IP address) of the protected domain is involved in the communication.
More versatility can be added to the basic firewall functionality by instructing the firewall to look at not only the TCP/IP header but also certain other header information within each packet. In packet-switched information networks TCP/IP packets are only used as the vehicle for transferring any kind of data. As an illustrative example one may consider IP as the way of defining a communications network between a multitude of independently addressable endpoints, and TCP as the way of setting up, maintaining and tearing down temporary communication connections within said communications network. Completely different protocols may then define the form and content of the data that is encapsulated as payload into TCP/IP packets for transmission. A versatile firewall may comprise e.g. a filtering rule according to which TCP/IP packets from a certain external source are only passed if they are related to an http (hypertext transfer protocol) connection but rejected otherwise. In order to implement such a rule the firewall looks closely enough at each packet to see, whether an http header follows the TCP/IP header in the packet.
Also the concept of stateful inspection has been introduced in connection with firewalls. At the priority date of this patent application the exact meaning of stateful inspection is not well established, but most often it is taken to mean some kind of time and connection dependent firewall functionality. This means that a filtering rule at the firewall is valid e.g. only for the duration of a certain TCP/IP connection; in other words the firewall functionality is tied to the state of each connection. The purpose of such stateful inspection is to “close the doors” after a trusted and accepted connection has come to an end, so that nobody can later deceptively utilize the same source address by pretending to be the trusted user residing at that address.
The common and most serious drawback of all packet filtering firewall solutions known at the priority date of this patent application is that no attention is actually paid to whether the payload data in the TCP/IP packets is what it pretends to be. At most a firewall recognizes that the stream of packets that belongs to a certain active TCP/IP connection appears to carry something defined by protocol X, which we can here denote as the third protocol (taken that the TCP and IP are the first and second protocols respectively). The firewall may check for indications about a certain third protocol being in use, and use such basic indications in making a filtering decision, but it is not capable of monitoring, whether there is anything suspicious in the way in which the third protocol is being used. For example various video protocols exist that involve procedures complicated enough for the firewall to be essentially incapable of monitoring, whether the exchanging of packets is proceeding as is should.
The known solution to the above-mentioned drawback is to replace a simple firewall with a more versatile monitoring and controlling arrangement known as an application gateway or just AG for short. An application gateway differs from a firewall in that the latter is just a packet-level filter that only performs filtering packet by packet on the basis of (TCP/IP) header information, while the former comprises complete knowledge about how a certain third protocol should work so that it can monitor, whether a certain connection proceeds according to said certain third protocol. One of the simplest imaginable application gateway approaches is to check, whether all packets that carry the header of a certain third protocol actually conform to the regulations concerning packet composition under said third protocol. More elaborate application gateway arrangements may e.g. monitor, whether a sequence of handshake messages exchanged under said third protocol conforms to the appropriate regulations concerning handshakes.
For example application gateways specific to the SMTP (Simple Mail Transfer Protocol) are known. These are security-enhancing devices that are coupled between the Internet and an e-mail server that runs the e-mail functionality of a corporate network. The task of an SMTP-specific application gateway is to monitor all TCP/IP connections that carry SMTP-related traffic, i.e. e-mails to and from the corporate network. The application gateway ensures that these connections only proceed according to the SMTP specifications.
The difference between a firewall and an application gateway has been illustrated so that while a firewall is merely a properly instructed mail sorter who reads the addresses of sender and recipient on each envelope and either forwards or shreds the sealed envelopes accordingly, an application gateway is the corporate lawyer who opens the envelope, reads the letter contained therein and evaluates its true meaning before either passing the letter on to its original intended recipient or taking some other appropriate action.
An application gateway is definitely an advancement beyond firewalls that only perform packet-level filtering. However, it represents a step backwards in throughput, complexity and susceptibility to software crash. Implementing application gateway functionality requires considerable computational effort, which inevitably increases the expected delay in letting through also packets that are completely legal and valid. Application gateways may require considerably more memory than firewalls, because monitoring the proceeding and state of connections requires the accumulation of connection history data concerning each monitored communication. It is sad but true that whenever one increases the amount of program code that is used to perform a certain task, an increase is also to be observed in the probability that the code simply contains an error or otherwise does something unexpected under some specific operational conditions.
The publication U.S. Pat. No. 5,623,601 (Vu) describes the basic concept of an application gateway. The “gateway station” of Vu contains application level proxies that perform data screening in order to reject potentially dangerous packets. All IP packets, ICMP (Internet Control Message Protocol) messages and source routing packets are intercepted. The publication mentions as a specific advantage that none of them are forwarded between the external, potentially hostile network and the private network; direct communication therebetween is effectively disabled. While providing a very good basic level of security, this approach has all the above-mentioned drawbacks that relate to limited throughput, high complexity and susceptibility to software crash due to the sheer amount of program code involved.
The publication U.S. Pat. No. 5,950,195 (Stockwell et al.) describes actually an application gateway arrangement, although it uses the term firewall. The publication specifically states that not only message traffic but also message content is reviewed. Also this solution involves problems regarding slow processing, complexity, and susceptibility to software crash.
The publication U.S. Pat. No. 6,182,226 B1 (Reid et al.) is comparable to those mentioned above in that it suggests implementing significant parts of application gateway functionality within the operating system kernel of the “firewall” computer. The kernel is the part of computer software that should operate as fast and as reliably as possible, which is in direct conflict with the teachings of Reid et al.
The publication U.S. Pat. No. 6,212,558 B1 (Antur et al.) provides a listing of firewall types that is in good accordance with the definitions used in this patent application. The publication suggests that the security functions could be distributed to several computer devices in the network. Remarkable interest is placed upon administrating a multitude of firewalls so that uniformity of security policies is maintained.